Back to skill

Security audit

Mallary Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Mallary social-media automation helper, but it gives agents live publishing/account-management authority and includes unsafe credential-handling guidance.

Install only if you intend to let an agent manage real Mallary-connected social accounts. Use a least-privilege or test API key, do not print the key, avoid storing it permanently in shell profiles, verify the target profile/platform before posting or deleting, and treat local media paths and webhook URLs as data sent outside your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes a live `posts create` example against real social platforms without an explicit warning that it will modify external account data. In an agent/automation context, users may copy-paste this command during testing and unintentionally publish content to production-facing accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to persist `MALLARY_API_KEY` in shell startup files without warning that this stores a long-lived secret in plaintext in dotfiles. That increases the risk of credential exposure through local compromise, backups, screen sharing, shell history mistakes, or accidental inclusion in support bundles and repos.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that local media and thumbnail paths are uploaded automatically before sending the post request, but it does not prominently warn users that providing a local path causes outbound data transmission to Mallary infrastructure. In an agent context, this can lead to unintended exfiltration of local files if an LLM or workflow selects sensitive paths, especially because the behavior is automatic and framed as a convenience feature.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation provides ready-to-run examples for creating posts on external social platforms but does not warn that these actions can publish publicly, affect connected accounts, or trigger irreversible external side effects. In an agent skill context, this increases the risk that an LLM or automation workflow will execute examples or construct real publish requests without explicit user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation presents `mallary posts delete 123` as a normal workflow without any warning that it is destructive, potentially irreversible, or should be scoped to the intended profile/account. In an agent-driven or scripted environment, this increases the chance of accidental deletion of social content, especially when users copy commands directly from quick-start docs.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README documents destructive operations such as deleting posts and disconnecting platforms without any warning about irreversible effects, confirmation behavior, or safe-use guidance. In an agent/CLI context, this increases the chance that automation or an AI agent will invoke account-altering commands accidentally, causing loss of scheduled content or social account connectivity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that local media paths in payloads are automatically uploaded to the Mallary CDN and then transmitted onward, but it does not prominently warn users that specifying a local path causes file exfiltration to a remote service. In an AI-agent workflow, this is particularly risky because an agent may treat local paths as harmless inputs and unintentionally upload sensitive local files or profile-scoped data to external infrastructure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly tells the user to run `printenv MALLARY_API_KEY`, which prints the full secret into terminal output that may be logged, copied, or exposed to an agent runtime. In an agent/tooling context, command output is often visible to the model, orchestration layer, or audit logs, so this guidance increases the chance of credential disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes `mallary platforms disconnect ...` commands without warning that they revoke or sever connected social-platform integrations. In an agent-driven workflow, a model could invoke these examples as routine operations, causing unintended service disruption or loss of publishing capability.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook examples send event data to arbitrary external URLs without any privacy or trust-boundary warning. This can cause post metadata, profile information, or operational events to be transmitted to third-party endpoints controlled by an attacker or misconfigured destination.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation states that local files are automatically uploaded to Mallary's CDN before posting, but it does not prominently warn users that this causes data to leave the local machine and become hosted on a remote service. In a tool intended for AI agents and automated workflows, this increases the risk of accidental exfiltration of sensitive local files, especially if users or agents assume upload is only a local preprocessing step.

Ssd 3

Medium
Confidence
99% confidence
Finding
The guidance directly encourages revealing the API key value in terminal output by checking it with `printenv`, which exposes the complete credential rather than only verifying presence. Because this skill is intended for MCP/CLI/API workflows used by agents, printed secrets are especially likely to end up in model-visible transcripts, logs, screenshots, or telemetry.

Ssd 3

Medium
Confidence
93% confidence
Finding
Repeated examples such as `export MALLARY_API_KEY=your_api_key` normalize putting the full credential directly into shell commands, which commonly persist in shell history and may be captured by agent traces or CI logs. While placeholder-based examples are common, this skill lacks compensating warnings in a context where automated agents may reproduce the pattern unsafely.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.